CVE-2025-59471
Denial of Service in Next.js Image Optimizer via Large Remote Images
Publication date: 2026-01-26
Last updated on: 2026-02-13
Assigner: HackerOne
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vercel | next.js | From 10.0.0 (inc) to 15.5.10 (exc) |
| vercel | next.js | From 16.0.0 (inc) to 16.1.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a denial of service issue in self-hosted Next.js applications that use the Image Optimizer with `remotePatterns` configured. The image optimization endpoint (`/_next/image`) loads external images fully into memory without limiting their size. An attacker can exploit this by requesting optimization of very large images from allowed external domains, causing the application to run out of memory and become unavailable.
How can this vulnerability impact me? :
The vulnerability can cause denial of service by exhausting the application's memory resources when processing large images from external domains. This can lead to application crashes or unavailability, impacting the reliability and availability of your Next.js application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, strongly consider upgrading your Next.js application to version 15.5.10 or 16.1.5, which include fixes to reduce risk and prevent availability issues caused by this denial of service vulnerability.